DFIR MONTEREY 2015 Network Forensics Challenge

DFIR Monterey 2015 Network Forensics Challenge

The object of the DFIR Monterey 2015 challenge is simple: Download the network forensics dataset and attempt to answer the 6 questions. To successfully submit for the contest, all answers must be attempted. Each person that correctly answers 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. The contest ends on February 3, 2015 and we will announce the winner by February 9, 2015. Good luck!

Win a free DFIR OnDemand course by downloading the network forensic dataset and answering the following questions.

DOWNLOAD LINK FOR NETWORK Data: http://dfir.to/FOR572-Challenge-Data

To successfully submit for the contest. All answers must be attempted. Please include your name and email address.

The winner will be able to choose from the below DFIR OnDemand courses:

SEC504: Hacker Techniques, Exploits & Incident Handling

FOR408: Computer Forensic Investigations - Windows In-Depth

FOR508: Advanced Computer Forensic Analysis and Incident Response

FOR526: Memory Forensics In-Depth

FOR572: Advanced Network Forensics and Analysis

FOR585: Advanced Smartphone Forensics

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques

SANS OnDemand:

SANS OnDemand is the world's leading comprehensive online training for information security professionals. OnDemand offers more than 25 SANS courses whenever and wherever you want from your computer (Windows, Mac, and Linux), iPad or Android tablet. OnDemand allows you to learn at your own pace, spend extra time on complex principles, reinforce concepts with quizzes, and repeat lab exercises - all of which increases your retention of the course material.

Your course enrollment gives you printed course books, CD/DVDs/USBs/Toolkits for hands-on exercises (as applicable), four months of online access to our OnDemand e-learning platform featuring a top SANS instructor presenting the material, quizzes, and synchronized video demonstrations/interactive labs (as applicable).

The Network Challenge is sponsored by DFIR Monterey 2015.  To learn more about DFIR Monterey 2015, please visit http://dfir.to/DFIRMonterey15


1.       Entry: Each participant may respond only once for the challenge. Contest begins on Monday, December 1, 2014 and ends Tuesday, February 3rd 2015. Responses must be submitted by 9pm EST on February 3rd.

2.       Prize: Each person that correctly answers at least 4 of the 6 questions will be entered into a drawing to win a FREE DFIR OnDemand course. SANS will choose only one winner, the seat is transferable to another in the same organization/company and does not include a certification attempt. The winner will be chosen by February 9th, 2015 and will be notified by email.

Questions regarding the challenge?  Please send to DFIR-Challenge "at" sans.org. (DFIR-Challenge@sans.org ) 

Question Title

* 1. Difficulty: Easy
Evidence: SWT-syslog_messages
Question: At what time (UTC, including year) did the portscanning activity from IP address start?

Question Title

* 2. Difficulty: Easy
Evidence: nitroba.pcap
Question: What IP addresses were used by the system claiming the MAC Address 00:1f:f3:5a:77:9b?

Question Title

* 3. Difficulty: Medium
Evidence: ftp-example.pcap
Question: What IP (source and destination) and TCP ports (source and destination) are used to transfer the “scenery-backgrounds-6.0.0-1.el6.noarch.rpm” file?

Question Title

* 4. Difficult: Medium
Evidence: nfcapd.201405230000 (requires nfdump v1.6.12. Note that nfcapd.201405230000.txt is the same data in nfdump’s “long” output format.)
Question: How many IP addresses attempted to connect to destination IP address on the default SSH port?

Question Title

* 5. Difficulty: Hard
Evidence: stark-20120403-full-smb_smb2.pcap
Question: What is the byte size for the file named “Researched Sub-Atomic Particles.xlsx”

Question Title

* 6. Difficulty: Very Hard
Evidence: snort.log.1340504390.pcap
Question: The traffic in this Snort IDS pcap log contains traffic that is suspected to be a malware beaconing. Identify the substring and offset for a common substring that would support a unique Indicator Of Compromise for this activity.
Bonus Question: Identify the meaning of the bytes that precede the substring above.

Question Title

* 7. What is your name?

Question Title

* 8. What is your email address?